June 21, 2018

June 20, 2018

Subscribe to Latest Legal News and Analysis

June 19, 2018

Subscribe to Latest Legal News and Analysis

June 18, 2018

Subscribe to Latest Legal News and Analysis

Can Personal Data Be Used As Payment For Free Online Services?

On 14 March 2017, the European Data Protection Supervisor (EDPS) issued its Opinion on the protection of personal data when it is used in lieu of payment for “free” online services.  The EDPS is an independent EU body responsible for advising the EU institutions on data protection matters.

The Opinion was issued following a request by the EU Council in regard to a package of legislative proposals on contracts for the supply of digital services (e.g. social media platforms and cloud computing services) and the online sale of digital goods (including films, computer programmes, mobile applications, etc.) Among the aims of the proposed directives is to provide protection to consumers who are required to disclose their personal data as a condition of the supply of “free” online services.

The Opinion warns that the concept of “data as counter-performance” in digital contracts, as set out in the proposed directives, could cause confusion and alter the balance struck by the General Data Protection Regulation (GDPR). The Opinion considers that the concept of counter-performance must be aligned with the consent provisions of the GDPR, which establish new conditions for evaluating whether consent has been freely given in the context of digital transactions.  The EDPS is concerned that the proposed directives would effectively overturn the GDPR’s presumption that the processing of personal data based on consent, in the context of a contract, would not be legitimate unless the data being processed was necessary for the performance of the contract.

The Opinion goes on to note that the use of the “balance of interests” test to legitimise processing in this context would have to be examined on a case-by-case basis. As a rule of thumb, however, “the uses of data in a digital environment require a free, specific, informed and unambiguous ‘opt-in’ consent” and should not rely on the legitimate interests of the controller (notwithstanding the explicit reference in GDPR Recital 47 to direct marketing constituting a potential legitimate interest).

Referencing the case law of the European Court of Human Rights, the Opinion states that in the EU, personal data cannot be treated as a mere economic asset but, rather, is subject to the protections of the EU Charter on Fundamental Rights. The EDPS observes that:  “There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give that market the blessing of legislation.”

The Opinion concludes by recommending, among other things, that the term “data as counter-performance” should be avoided, so that the directives are not misconstrued as limiting the protection of consumers’ personal data when such data is provided in exchange for “free” digital goods or services. The EDPS recommends, instead, that the proposed directives be linked explicitly to the requirements of the GDPR and the e-Privacy legislation (a proposed Regulation on e-Privacy is also currently pending before the EU Parliament and Council).

© Copyright 2018 Squire Patton Boggs (US) LLP


About this Author

Ann J. LaFrance, Squire Patton Boggs, Cybersecurity Matters Lawyer, Telecommunications Attorney

Ann LaFrance co-leads our Data Privacy & Cybersecurity practice. Drawing on more than 20 years of industry experience, Ann advises clients on telecommunications regulation and new media policy, competition law, dispute resolution and European Union ('EU') data protection matters.

44 20 7655 1752
Asel Ibraimova, Squire Patton, Media Industry Lawyer, data controllers attorney

Asel Ibraimova is an associate with expertise in European data protection matters.

Asel has worked in the healthcare industry and media industry, representing the interests of both data controllers and data processors. She has advised on methods of international transfer of personal data, on data protection issues related to the launch of websites, apps, mobile devices and online personalization services. She has negotiated data protection contracts with major online service providers, including cloud providers. Asel has drafted data protection policy documents for large organisations, templates of data protection clauses for procurement and employment purposes, technology contracts and strategic planning documents for legal teams in preparation for continuing changes in data protection law in Europe.